Effective password management is the most central single element in assuring the overall security of Longwood's information technology (IT) resources and systems and the protection of University data. The purpose of this policy is to ensure that all users are aware of their responsibilities in effective password management and to ensure that appropriate password standards are applied to all University IT systems.
This policy applies to all IT systems whether connected to the network or standalone, hosted internally or externally or administered by Information and Instructional Technology Services (IITS) or another department.
Password Management: Password management is the selection, distribution, use, modification and testing of computer system passwords.
All who participate in the use and administration of Longwood's IT resources and systems share responsibility for effective password management. Specific responsibilities are assigned as follows:
- Password Standards: Passwords will be required on all University sensitive IT systems and other IT systems where passwords are necessary for accountability, as well as on University mobile devices (e.g., smart phones). IITS will provide Minimum Password Standards that must be applied to all University IT systems that utilize passwords for authentication; however, more rigorous password requirements will be applied to IT systems commensurate with the systems' sensitivity and risk. The actual password requirements applied to the IT system will be documented in the IT system security plan.
- Password Testing: IITS reserves the right to monitor the overall security of Longwood's IT environment by testing the strength of passwords on all University IT systems, both those it administers and others.
- Personal Ownership of Password Management: Ultimately, individuals using Longwood's IT resources and systems are responsible for assuring effective password management. To fulfill this responsibility, they shall be aware of and follow the Minimum Password Standards. Most notably, this includes creating strong passwords (see Password Creation Guidelines) and safeguarding their passwords' integrity. Passwords represent an individual's identity to the IT system and should never be disclosed to or used by others.
Responsibility to Report Compromise: All users are required to immediately contact the Help Desk and change their password if at any time they suspect their password has been compromised.
V. Exception And Exemptions
The Chief Information Officer of Longwood University must approve exceptions to or exemptions from any provision of this policy or the Minimum Password Standards in writing.
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of IT resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
Approved by the Board of Visitors, September 7, 2002.
Revised and approved by the Board of Visitors, December 5, 2008.